openjpa-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Patrick Linskey <plins...@gmail.com>
Subject Re: [VOTE] Approve OpenJPA 1.1.0 release
Date Fri, 16 May 2008 19:25:56 GMT
> 1. the extra openjpa-xxx and 1.1.0 directories

I believe that the openjpa-parent directory is unnecessary; that was a  
glitch in my copy-and-paste. However, all the rest looks just the same  
to me as people.apache.org:/www/people.apache.org/repo/m2-ibiblio- 
rsync-repository. Bear in mind that the root of the repository overlay  
is ~pcl/release-candidates/1.1.0/repo/m2-ibiblio-rsync-repository, so  
the release-candidates/1.1.0 bit is not part of what the repo would  
look like.

> 2. the lack of jars and poms directories in the repository

Which directories are you expecting? Could you provide a pointer to  
what you're comparing to? Looking at people.apache.org:/repo/m2- 
ibiblio-rsync-repository/org/apache/openejb, the structure looks  
pretty similar.

> 3. unnecessary .sha files for .jar and .pom
> 4. missing .asc files for .jar and .pom

When I added the code that Wendy provided, it generated .sha files and  
did not generate .asc files. I've been operating under the assumption  
that her code snippet is generating satisfactory output. Do we have  
any clear guidance for what output is necessary from that code?

> 5. extra maven-metadata.xml files


Which are the extra ones? Looking at people.apache.org/www/ 
people.apache.org/repo/m2-ibiblio-rsync-repository/org/apache/openejb,  
I see lots of maven-metadata.xml files there as well.

Thanks,

-Patrick

On May 16, 2008, at 12:06 PM, Craig L Russell wrote:

> Hi Patrick,
>
> Thanks for doing that. The results don't match my expectations for a  
> properly organized maven2 repository.
>
> I'm not an expert in maven, but this structure doesn't look like the  
> one you're copying into.
>
> Could someone from maven take a look? What looks fishy to me is
>
> 1. the extra openjpa-xxx and 1.1.0 directories
> 2. the lack of jars and poms directories in the repository
> 3. unnecessary .sha files for .jar and .pom
> 4. missing .asc files for .jar and .pom
> 5. extra maven-metadata.xml files
>
> This doesn't require another vote because the artifacts are not at  
> issue; the packaging is. Once the packaging is straightened out  
> we're good.
>
> Craig
>
> On May 15, 2008, at 3:16 PM, Patrick Linskey wrote:
>
>> Done. You can browse the results at http://people.apache.org/~pcl/release-candidates/1.1.0/repo/m2-ibiblio-rsync-repository

>> , or look at it on people.apache.org at ~pcl/public_html/release- 
>> candidates/1.1.0/repo/m2-ibiblio-rsync-repository.
>>
>> -Patrick
>>
>> On May 15, 2008, at 2:13 PM, Craig L Russell wrote:
>>
>>> Ok,
>>>
>>> How about doing something like this:
>>>> $ find . \ -name m2-repository -not -path "*openjpa-project*" - 
>>>> exec mvn -f /tmp/maven-stage-plugin/pom.xml stage:copy - 
>>>> Dsource=file://{} -Dtarget=scp://people.apache.org/home/pcl/ 
>>>> release-candidate/1.0.0/repo/m2-ibiblio-rsync-repository \ - 
>>>> Dversion=1.0.1 \;
>>>
>>> Then we can look at what you will do after the vote completes and  
>>> argue about whether the artifacts are correct.
>>>
>>> Craig
>>>
>>> On May 15, 2008, at 12:20 PM, Patrick Linskey wrote:
>>>
>>>>>>> What we need to vote on are the (reproducible) release  
>>>>>>> artifacts: the source and binary distributions with asc and 

>>>>>>> md5 sig/checksums; and the maven artifacts that will go into
 
>>>>>>> the mirrored maven repository.
>>>>>>
>>>>>> Sadly, our process does not seem to support generating such an  
>>>>>> artifact.
>>>>>
>>>>> Then how will the maven artifacts get published?
>>>>>>
>>>>>>
>>>>>> I do not understand what you mean by "reproducible";
>>>>>
>>>>> Reinforcing that you should be able to create the same artifacts  
>>>>> by running the scripts again. No manual to-and-fro should be  
>>>>> involved.
>>>>
>>>> From [1], the last step in the release process is:
>>>>
>>>> $ find . \ -name m2-repository -not -path "*openjpa-project*" - 
>>>> exec mvn -f /tmp/maven-stage-plugin/pom.xml stage:copy - 
>>>> Dsource=file://{} -Dtarget=scp://people.apache.org/www/ 
>>>> people.apache.org/repo/m2-ibiblio-rsync-repository \ - 
>>>> Dversion=1.0.1 \;
>>>>
>>>> My understanding is that once that script is run, the contents  
>>>> are uploaded to the non-snapshot mvn repository. I.e., if I were  
>>>> to run that script, things would be released to the wild. That  
>>>> sounds to me like something that should happen only once the  
>>>> release is approved, and not before.
>>>>
>>>> So, in other words, the semi-automatic process documented at [1]  
>>>> takes the output that I've linked to and pushes it to the mvn  
>>>> repo directly.
>>>>
>>>> As I pointed out, I think that there is room for improving this  
>>>> process. I would rather, however, cut out the mvn artifacts from  
>>>> the 1.1.0 release than spend the next days rushing through trying  
>>>> to learn about mvn's world view when it comes to further mvn  
>>>> automation.
>>>>
>>>>>> this was all generated in exactly the same manner as prior  
>>>>>> (approved) OpenJPA releases, with the exception that we're now  
>>>>>> generating md5 and asc files for more of the artifacts.
>>>>>
>>>>> And we have had problems with subsequent maven artifact  
>>>>> postings, which I want to fix by having more oversight earlier.
>>>>
>>>> It was my understanding that the only issue that we've  
>>>> encountered in the previous releases was the lack of signed  
>>>> artifacts. I believe that the work that I've done addresses that.  
>>>> As I mentioned above, since our process deploys directly to the  
>>>> mvn repo, I know of no way to validate that that's the case.  
>>>> Further, I am not scared of directly (manually) updating the mvn  
>>>> repo; I was under the impression that it was the artifacts, and  
>>>> not the process, that needed voting / approval.
>>>>
>>>>>> I see lots of m2-repository contents that would seem to conform 

>>>>>> to what maven expects, but I'm no maven expert:
>>>>>>
>>>>>> http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/
>>>>>
>>>>> These directories are not proper maven repositories, so a subset  
>>>>> of these artifacts then need to be copied to completely  
>>>>> different directories. How will this be done? Why can't they be  
>>>>> copied "now" to a temporary maven repo so they can be vetted?
>>>>
>>>> I have no idea what "proper maven repositories" look like.
>>>>
>>>> How about this: let's get rid of all the mvn artifacts from the  
>>>> 1.1.0 release, and focus instead just on the binary and source  
>>>> zips.
>>>>
>>>> -Patrick
>>>>
>>>> [1] http://openjpa.apache.org/releasing-openjpa.html
>>>>
>>>>
>>>> On May 15, 2008, at 12:04 PM, Craig L Russell wrote:
>>>>
>>>>> Hi Patrick,
>>>>>
>>>>> On May 15, 2008, at 11:52 AM, Patrick Linskey wrote:
>>>>>
>>>>>>> What we need to vote on are the (reproducible) release  
>>>>>>> artifacts: the source and binary distributions with asc and 

>>>>>>> md5 sig/checksums; and the maven artifacts that will go into
 
>>>>>>> the mirrored maven repository.
>>>>>>
>>>>>> Sadly, our process does not seem to support generating such an  
>>>>>> artifact.
>>>>>
>>>>> Then how will the maven artifacts get published?
>>>>>>
>>>>>>
>>>>>> I do not understand what you mean by "reproducible";
>>>>>
>>>>> Reinforcing that you should be able to create the same artifacts  
>>>>> by running the scripts again. No manual to-and-fro should be  
>>>>> involved.
>>>>>
>>>>>> this was all generated in exactly the same manner as prior  
>>>>>> (approved) OpenJPA releases, with the exception that we're now  
>>>>>> generating md5 and asc files for more of the artifacts.
>>>>>
>>>>> And we have had problems with subsequent maven artifact  
>>>>> postings, which I want to fix by having more oversight earlier.
>>>>>>
>>>>>>
>>>>>> I see lots of m2-repository contents that would seem to conform 

>>>>>> to what maven expects, but I'm no maven expert:
>>>>>>
>>>>>> http://openjpa.apache.org/builds/1.1.0/apache-openjpa/m2-repository/org/apache/openjpa/apache-openjpa/1.1.0/
>>>>>
>>>>> These directories are not proper maven repositories, so a subset  
>>>>> of these artifacts then need to be copied to completely  
>>>>> different directories. How will this be done? Why can't they be  
>>>>> copied "now" to a temporary maven repo so they can be vetted?
>>>>>
>>>>> Craig
>>>>>>
>>>>>>
>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-examples/m2-repository/org/apache/openjpa/openjpa-examples/1.1.0/
>>>>>>
>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
>>>>>>
>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-kernel/m2-repository/org/apache/openjpa/openjpa-kernel/1.1.0/
>>>>>>
>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-lib/m2-repository/org/apache/openjpa/openjpa-lib/1.1.0/
>>>>>>
>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-persistence-jdbc/m2-repository/org/apache/openjpa/openjpa-jdbc/1.1.0/
>>>>>>
>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-persistence/m2-repository/org/apache/openjpa/openjpa-persistence/1.1.0/
>>>>>>
>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-slice/m2-repository/org/apache/openjpa/openjpa-slice/1.1.0/
>>>>>>
>>>>>> http://openjpa.apache.org/builds/1.1.0/openjpa-xmlstore/m2-repository/org/apache/openjpa/openjpa-xmlstore/1.1.0/
>>>>>>
>>>>>> Does this help?
>>>>>>
>>>>>> -Patrick
>>>>>>
>>>>>> On May 15, 2008, at 10:32 AM, Craig L Russell wrote:
>>>>>>
>>>>>>> Hi Patrick,
>>>>>>>
>>>>>>> On May 15, 2008, at 10:10 AM, Patrick Linskey wrote:
>>>>>>>
>>>>>>>> Hi,
>>>>>>>>
>>>>>>>>> Nice job, but need a bit more to review.
>>>>>>>>
>>>>>>>> Thanks! I'm assuming that you mean that you can't vote +1
 
>>>>>>>> now, but that you'll have time between now and Monday  
>>>>>>>> evening, right?
>>>>>>>
>>>>>>> Right.
>>>>>>>>
>>>>>>>>
>>>>>>>>> There's a requirement that all artifacts have an md5
 
>>>>>>>>> checksum in addition to the asc signature.
>>>>>>>>
>>>>>>>> Those should all be generated. In fact, it looks like we
even  
>>>>>>>> have md5 checksums of the signatures!
>>>>>>>
>>>>>>> In the link you sent out
>>>>>>>>>> A candidate build for OpenJPA 1.1.0 is available
at:
>>>>>>>>>>
>>>>>>>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>>>>>>
>>>>>>> there are only the source and binary distribution files with
 
>>>>>>> asc sigs, no md5 and no maven artifacts.
>>>>>>>>
>>>>>>>>
>>>>>>>>> Since we plan to put the jar files into the global maven
 
>>>>>>>>> repo, the artifacts should be on the download site for
 
>>>>>>>>> review. The jar files also need md5 and asc signatures.
>>>>>>>>
>>>>>>>> Everything can be found at people.apache.org/www/ 
>>>>>>>> openjpa.apache.org/builds/1.1.0.
>>>>>>>
>>>>>>> Everything including the kitchen sink. But there are many  
>>>>>>> files and plain junk in that location that it's impossible for
 
>>>>>>> me to review.
>>>>>>>>
>>>>>>>> Also, I think it's worth noting that there are definite 

>>>>>>>> improvements that we could make in our staging / delivery
 
>>>>>>>> process. I'd appreciate it if we didn't hold 1.1.0 hostage
 
>>>>>>>> for those changes. My understanding from Wendy's comments
 
>>>>>>>> about the last release process was that we needed more  
>>>>>>>> signatures; I believe that the new release is sufficiently-

>>>>>>>> signed. If there are other improvements that we could make,
 
>>>>>>>> I'm all for making them, but would rather see non- 
>>>>>>>> showstopping issues get logged and addressed in 1.1.1 etc.
>>>>>>>
>>>>>>> The problem is that with all the stuff in the builds/1.1.0  
>>>>>>> directory it's not possible to make sense of it. Browsing the
 
>>>>>>> builds/1.1.0, there are several things that look like maven 

>>>>>>> artifacts but they're in the wrong place, e.g. openjpa-jdbc/m2-

>>>>>>> repository/org/apache/openjpa/openjpa-jdbc/1.1.0 which has an
 
>>>>>>> extra 1.1.0 directory and has extra files e.g. -rw-rw-r--  1
 
>>>>>>> pcl  openjpa       32 May 14 22:36 openjpa- 
>>>>>>> jdbc-1.1.0.jar.asc.md5 (generally it's not required to  
>>>>>>> checksum a signature;-).
>>>>>>>
>>>>>>> So there's a non-trivial step between the artifacts that  
>>>>>>> you've pointed to and the actual release that we propose to 

>>>>>>> mirror to the world. And there's no PMC oversight possible for
 
>>>>>>> that non-trivial step.
>>>>>>>
>>>>>>> What we need to vote on are the (reproducible) release  
>>>>>>> artifacts: the source and binary distributions with asc and 

>>>>>>> md5 sig/checksums; and the maven artifacts that will go into
 
>>>>>>> the mirrored maven repository.
>>>>>>>
>>>>>>> Craig
>>>>>>>>
>>>>>>>>
>>>>>>>> -Patrick
>>>>>>>>
>>>>>>>> On May 15, 2008, at 9:52 AM, Craig L Russell wrote:
>>>>>>>>
>>>>>>>>> Hi Patrick,
>>>>>>>>>
>>>>>>>>> Nice job, but need a bit more to review.
>>>>>>>>>
>>>>>>>>> There's a requirement that all artifacts have an md5
 
>>>>>>>>> checksum in addition to the asc signature.
>>>>>>>>>
>>>>>>>>> Since we plan to put the jar files into the global maven
 
>>>>>>>>> repo, the artifacts should be on the download site for
 
>>>>>>>>> review. The jar files also need md5 and asc signatures.
>>>>>>>>>
>>>>>>>>> Craig
>>>>>>>>>
>>>>>>>>> On May 14, 2008, at 11:37 PM, Patrick Linskey wrote:
>>>>>>>>>
>>>>>>>>>> OpenJPA Developers-
>>>>>>>>>>
>>>>>>>>>> A candidate build for OpenJPA 1.1.0 is available
at:
>>>>>>>>>>
>>>>>>>>>> http://openjpa.apache.org/builds/1.1.0/downloads/
>>>>>>>>>>
>>>>>>>>>> Please review these artifacts and signatures, and
vote  
>>>>>>>>>> whether we
>>>>>>>>>> should release them as Apache OpenJPA version 1.1.0.
 
>>>>>>>>>> Release notes
>>>>>>>>>> for this release are included in the artifact, or
can be  
>>>>>>>>>> browsed at:
>>>>>>>>>>
>>>>>>>>>> http://svn.apache.org/repos/asf/openjpa/branches/1.1.0/openjpa-project/RELEASE-NOTES.html
>>>>>>>>>>
>>>>>>>>>> The Apache Release Audit Tool has been run on the
release,  
>>>>>>>>>> and no
>>>>>>>>>> missing licenses were found with the exceptions listed
in the
>>>>>>>>>> exclusion section of the "rat-maven-plugin" configuration
 
>>>>>>>>>> in http://
>>>>>>>>>> svn.apache.org/repos/asf/openjpa/branches/1.1.0/pom.xml
.
>>>>>>>>>>
>>>>>>>>>> In accordance with http://www.apache.org/foundation/
>>>>>>>>>> voting.html#ReleaseVotes , three +1 votes will be
 
>>>>>>>>>> sufficient to
>>>>>>>>>> approve the release for publication. While it is
not  
>>>>>>>>>> possible to veto
>>>>>>>>>> a release, the vote will remain open for the standard
3 day  
>>>>>>>>>> period
>>>>>>>>>> (ending at 11:30pm Pacific on Monday 5/19) in order
to  
>>>>>>>>>> allow people to
>>>>>>>>>> thoroughly review the release and perform whatever
 
>>>>>>>>>> additional testing
>>>>>>>>>> they desire and raise any concerns or objections.
>>>>>>>>>>
>>>>>>>>>> A vote of "+1" means you approve of the release for
 
>>>>>>>>>> publication, "-1"
>>>>>>>>>> means you do not approve, and a "+0" or "-0" means
you are  
>>>>>>>>>> neutral.
>>>>>>>>>>
>>>>>>>>>> Thanks in advance for your diligence in helping to
ensure  
>>>>>>>>>> that the
>>>>>>>>>> quality of the OpenJPA 1.1.0 release reflects the
high  
>>>>>>>>>> quality of all
>>>>>>>>>> of its contributors!
>>>>>>>>>>
>>>>>>>>>> -Patrick
>>>>>>>>>>
>>>>>>>>>> -- 
>>>>>>>>>> Patrick Linskey
>>>>>>>>>> 202 669 5907
>>>>>>>>>>
>>>>>>>>>
>>>>>>>>> Craig Russell
>>>>>>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>>>>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>>>>>>> P.S. A good JDO? O, Gasp!
>>>>>>>>>
>>>>>>>>
>>>>>>>> -- 
>>>>>>>> Patrick Linskey
>>>>>>>> 202 669 5907
>>>>>>>>
>>>>>>>
>>>>>>> Craig Russell
>>>>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>>>>> P.S. A good JDO? O, Gasp!
>>>>>>>
>>>>>>
>>>>>> -- 
>>>>>> Patrick Linskey
>>>>>> 202 669 5907
>>>>>>
>>>>>
>>>>> Craig Russell
>>>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>>>> P.S. A good JDO? O, Gasp!
>>>>>
>>>>
>>>> -- 
>>>> Patrick Linskey
>>>> 202 669 5907
>>>>
>>>
>>> Craig Russell
>>> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
>>> 408 276-5638 mailto:Craig.Russell@sun.com
>>> P.S. A good JDO? O, Gasp!
>>>
>>
>> -- 
>> Patrick Linskey
>> 202 669 5907
>>
>
> Craig Russell
> Architect, Sun Java Enterprise System http://java.sun.com/products/jdo
> 408 276-5638 mailto:Craig.Russell@sun.com
> P.S. A good JDO? O, Gasp!
>

-- 
Patrick Linskey
202 669 5907


Mime
View raw message